Phishing was the leading cause of data security events for the third consecutive year, according to a report that emphasized companies need to prioritize risk management goals and incident responsiveness.

The 2018 edition of its Data Security Incident Response Report, now in its fourth year, from New York based BakerHostetler's privacy and data protection team provides statistics and insights from more than 560 data security incidents managed by the firm in diverse industries, including finance and investment, healthcare, business and professional services, education, hospitality, government, aerospace and defense, and nonprofit.

“The stakes are higher than ever, but some entities still are not executing on the basics. Many have made great strides in their cybersecurity planning, but as threats evolve and entities change, they must also keep their security protocols current. It takes an 'all-in' approach from boards to senior management to entry level employees for best-in-class breach prevention and response planning,” Theodore J. Kobus, leader of BakerHostetler's privacy and data protection practice, said.

The report revealed the causes of incidents: phishing, 34%; network intrusion, 19%; inadvertent disclosure, 17%; stolen/lost device 11%; and system misconfiguration, 6%, which reflects instances where unauthorized individuals gain access to data stored in the cloud.

Noteworthy findings for financial institutions includes the revelation that point-to-point encryption use is reducing the number of large card-present theft incidents. As experts predicted, EMV adoption has caused attackers to more frequently target e-commerce sites, and the report noted a resurgence in these attacks. “Even if a site uses tokenization, an attacker with access to the site's administrative console or checkout page code can bypass tokenization and capture payment card data.”

Also measured: size of entities with incidents, type of data impacted, the number of inquiries by regulators (64 by state attorneys general and 43 non-AG investigations), the average time frames in the incident response lifecycle (detection, containment, analysis, and notification), forensic investigation costs, and average size of notifications, among other statistics.

Data at risk: Social Security, 46%; health information, 39%; other confidential information, 26%, such as student ID numbers, usernames and passwords, and intellectual property; birthdate, 24%; financial data, 15%; PCI data, 12%; and 10% driver's license.

“Compromise Response Intelligence should be used by entities to prioritize and gain executive support for security spending, educate key stakeholders, fine-tune incident response plans, work more efficiently with forensic firms, assess and reduce risk, build scenarios for tabletop exercises and determine cyber liability insurance needs,” Theodore J. Kobus III, leader of BakerHostetler's privacy and data protection practice said.

Entities also need to be aware that regulators have become aggressive in investigating breaches, with upticks in not only the number of inquiries by regulators (i.e. 64 by state attorneys general and 43 non-AG investigations in 2017 compared to 37 state AGs and 29 non-AG investigations in 2016), but also in the investigation speed. And when the General Data Protection Regulation and its quick notification and onerous financial consequences for non-compliance become effective on May 25, 2018 for entities established in the EU, the regulatory landscape will be even more challenging.

The Report also studied the incident response timeline, which identifies the four key time frames of the incident response lifecycle – detection, containment, analysis, and notification. This timeline gives entities context for understanding the timing of when they will have reliable information to facilitate communication about the incident.

The report suggested, entities in every industry should look at the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, even if this regulation does not cover the entity. “Experts believe it may be the model for future state or federal cybersecurity regulations.” The NYDFS cybersecurity regulations requires financial institutions to provide minimum cybersecurity standards and report breaches to regulators within 72 hours of cybersecurity or data security incidents.

The Data Security Incident Response Report Overall indicated incident response times for 2017 were 66 days from occurrence to discovery (an increase of five days from 2016), three days from discovery to containment (an improvement of five days from 2016), 36 days from engagement of forensics team to investigation complete (four days faster than the previous year), and 38 days from discovery to notification (three days better than 2016).

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).